Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Query Task

Rawabi1994
New Member
‎09-05-2021 12:56 AM

I want Splunk query related to:
1. Firewalls availability
2. Endpoint protection availability

For my own work, you can help with this

Thank you

Best Regards.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2021 02:32 AM

Hi @Rawabi1994,

the information you share are really few to help you!

Anyway, when you speak of firewall and endpoint availability, do you mean the you're receiving logs from your firewalls and endpoints?

If this is your need, you could create a lookup containing the list of firewall (and another for endpoints) to check, called e.g. FW_perimeter.csv.

Then you have to run a search like this:

 

index=firewalls
| head 10
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup FW_perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

 

in this way, you'll have a list of firewalls of your lookup that didn't send logs in the last period (e.g. 5 minutes).

Put attention to the host field, check if this field contains an hostname or an IP addres in the results and use the same in the lookup.

It's also possible to automatically update the lookup, running a scheduled search (e.g. every night) on the Firewalls that sent logs in the last month, but i don't like this solution because in this way you loose the control of the monitored list.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...